DevSecOps Requires More than DevOps Patching

Organizations around the globe are making the digital transformation to DevOps to achieve a more agile development cycle. In doing so, however, they may be exploiting their developers’ lack of skills and exposing themselves to security issues.

As ComputerWeekly Senior Editor Warwick Ashford wrote recently, “DevOps delivers proven benefits in terms of business agility, but it can also create new security risks and revive old ones.”

The article goes on to cite CyberArk VP of DevOps security, Elizabeth Lawler, who blames the security risk upon a lack of education. She adds that too many organizations are overlooking application security in favor of agility.

“By their very nature, developers aren’t security practitioners,” said Lawler. “They are responsible for features and functionality, not figuring out how to manage credential collaboration and security for those key assets.” Lawler’s comments are in line with the findings research conducted by CyberArk, which, found that nearly three-fourths of organizations lacked approaches to tackle security for DevOps.

Enter DevSecOps – DevOps with security tools integrated into the development and testing stages of software development. While organizations do not deny the need to make DevOps more secure or to insert security testing into DevOps practices, exactly how security should be integrated remains a question.

Security expert Vladimir Jirasek, chief executive at Jirasek Security Consulting, suggests that one reason for the lack of focus on security comes straight from the top.

“Security managers and CISOs need to come down from their ivory towers that are weakly supported by artificial and theoretical security postulates,” wrote Jirasek. “They have to offer practical advice that solves security problems that developers and IT teams will inevitably face.”

Jirasek’s solution, however, was to add more patching and testing to be done by security teams. This may catch the proverbial “tip of the iceberg” of security issues, but it is treating symptoms, not causes.

Examples of cyberattacks over the past few years illustrate the need to do more than just test and patch. WannaCry implanted itself by capitalizing on vulnerabilities of old Windows software code. Similarly, the breaches announced by Uber the last few years have taken place because developers tried using “workarounds” to manage data in its software repositories.

In both cases, testing would not have discovered these issues because the systems had worked previously, so testing would not likely have caught the problems. Meanwhile, only after an organization identifies issues can they implement patches, so patches cannot be implemented until after-the-fact.

Furthermore, relying upon separate application security teams to implement security measures into already developed applications is not only inefficient, but also is prone to miss critical issues that can hide in complex business software – much like trying to shore up a foundation after the skyscraper is already built.

Lawler’s approach to achieving DevSecOps goes more to “ground zero” of the problem.

“Companies ask developers to manage security assets when it is beyond their core job function and they have little experience in doing so,” she said. “The future will be in automation for making security more seamless, and that means making security part of developers’ native experience.”

Only by shifting even FURTHER left can dev and security teams work together to integrate application security analysis at multiple points during the SDLC to build security in and automate the process for ongoing development needs.

The Software Intelligence provided by automated application security assessment not only weeds out bad, non-secure code; it creates a better understanding of the organization’s application architecture, end-to-end transaction flows, data access patterns, and more. Teams can develop applications faster and with better quality and security.

By incorporating Software Intelligence to achieve true DevSecOps, organizations will ultimately improve their application quality, enhance end-user satisfaction, speed time-to-market, prevent business disruption and reduce cost. These benefits allow IT teams to move past security obstacles and give them the time to tackle the next wave of innovation…rather than having to fix the last one.

Jonathan Bloom has been a technology writer and consultant for over 20 years. During his career, Jon has written thousands of journal and magazine articles, blogs and other materials addressing various topics within the IT sector, including software development, enterprise software, mobile, database, security, BI, SaaS/cloud, Health Care IT and Sustainable Technology.